Best practices for managing Windows 10 in the enterprise

Windows and the enterprise market have gone together like peas and carrots since computers were brought into the mainstream, and that relationship has continued since then. Managing a fleet of Windows 10 computers in an enterprise setting is easier than ever, but there are still some things to consider when setting up your environment.

A small bit of backstory on me: my day job involves configuring, tracking and managing Windows laptops and desktops for a ~500 person non-profit. The tips I'm sharing below are what I've picked up since starting the job seven months ago.

Use SCCM

System Center Configuration Manager — or SCCM — is Microsoft's own suite for managing Windows deployments in an enterprise setting. Administrators can use SCCM to remotely control client machines, manage updates and patches and even manage iOS and Android devices. SCCM does have a licensing cost per device, which keeps my company from using it. But, do some research and find out if SCCM is worth the cost for your company.

Have one installation image

In the past, a Windows installation image would need to be customized with specific drivers for each machine. One of my favorite parts of Windows 10 is that the base image has generic drivers for networking, display output, audio and other key components. This means I need to have one single installation image for all of my machines, making it easier to ensure each machine is set up and patched in a uniform way.

Rely on Windows Update

The other piece that lets me just use one installation image is how great Windows Update has become over the years. Starting with Windows 10, Update can now detect which components your computer is using and if those components need an update. This includes networking, display, audio, trackpads, firmware updates (for Surface devices) and more.

Windows Update isn't entirely fool proof, though it does work 90% of the time. For some components, you may need to check for updates in Device Manager or download an update utility from the computer's manufacturer.

Speaking of Windows Update, it's worth taking the time to set up an update server for your company. This will let you test updates before rolling them out to client computers. Almost as important, it will let you reduce Internet costs and bandwidth use. If everything is configured correctly, your client computers will pull the update files from your internal Windows Update server, rather than dozens or hundreds of computers all pulling the update from Microsoft's servers.

Install as few programs as possible

Until every program is available in the Windows Store, each program you install is going to rely on its own update service and connection to the Internet. Each of those update services represents a potential attack vector for the machine and your network, so only install the essentials for each user. For us, that's Google Chrome (more on that later), Chrome Remote Desktop, ESET Anti-Virus, Forticlient VPN, Parallels Client, and 8X8 Virtual Office. Within Chrome, we only allow a few extensions — Chrome Remote Desktop, LastPass, Adblock Plus — because browser extensions are also an attack vector.

Document everything and have a plan when things go bad

This is something I need to get better at. Even though I have my initial setup process for desktops and laptops down to a T, I still need to actually write it down. There will be a day when I'm on vacation or no longer working for my company, and someone else will need to set up a Windows computer. If you're an IT admin, just write down the processes for everything you do. Even if the end product isn't pretty, it's better than nothing.

Also, know that you're going to have bad days. You're going to have times when your bosses demand a fix for that thing they heard about on the news, and the only answer you can give them is, "We have to wait for updates." It happens. Know it's going to happen, so you're not blindsided.

Consider other operating systems

Truth be told, most people don't need everything that Windows does. I mentioned Google Chrome earlier because a vast majority of our users are on Chromebooks and Chromeboxes. This may sound counterintuitive, but if your users don't need anything more than a web browser, a Chromebook is a good option. Chromebooks are criticized for not being able to run the same software that Windows computers are, but that has a big benefit: malware designed for Windows computers just doesn't work on a Chromebook.

What say you?

Do you manage Windows computers for your company? What advice do you have? Let us know down below!